I think security levels should not be tied to client scopes directly because they
represent the client's view (what he needs to ask for). Security levels should be
bound to the resource servers view because he in the end decides what level of
authentication is necessary to get access, e.g. by means of having certain roles in the
token... However, I would like that feature.
Best regards,
Sebastian
Mit freundlichen Grüßen / Best regards
Dr.-Ing. Sebastian Schuster
Engineering and Support (INST/ESY1)
Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY |
www.bosch-si.com
Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster(a)bosch-si.com
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber,
Michael Hahn
-----Original Message-----
From: keycloak-dev-bounces(a)lists.jboss.org [mailto:keycloak-dev-bounces@lists.jboss.org]
On Behalf Of Bill Burke
Sent: Mittwoch, 25. April 2018 17:06
To: Pedro Igor Silva <psilva(a)redhat.com>
Cc: Thorgersen, Stian <stian(a)redhat.com>; keycloak-dev
<keycloak-dev(a)lists.jboss.org>
Subject: Re: [keycloak-dev] OAuth2 Incremental Authorization
On Wed, Apr 25, 2018 at 10:45 AM, Pedro Igor Silva <psilva(a)redhat.com> wrote:
Adaptive authentication is a separated beast though as it may also be
related to risk-based authentication/authorization. Some form of
calculation based on different sources of information to obtain some
score to then take some action. It is a hell of a feature depending on
how much we want to invest in it.
Lol, that *WOULD* be cool......I always worried that step-up authentication would be an
edge case as most customers/users would want to require 2nd factor authentication up
front. Would a more common case be that a certain client scope requires
re-authentication?
i.e. to perform a sensitive operation? FYI, I'm completely speculating here.
--
Bill Burke
Red Hat
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev